(Because “In accordance with applicable legal requirements…” is not how humans talk.)
You’ve seen it a hundred times.
The Information Security Policy
that lives in SharePoint and no one has opened since 2019.
The Acceptable Use Policy that starts with “It is strictly forbidden…” and ends with a sigh.
The 12-page PDF that gets you through the audit but means nothing to the people it’s supposed to guide.
Let’s be honest: most policies fail not because people don’t care, but because they’re written for auditors, not for humans.
If your goal is to make people actually follow a policy, not just acknowledge it once a year, here’s how to fix it.
1. Remember Why Policies Exist
A policy isn’t a compliance artifact. It’s a decision compass.
It exists to make sure people act consistently when no one’s watching.
When you start a policy project with the sentence:
“We need this for ISO,”
you’ve already lost.
The right mindset is:
“We need this so people stop guessing what’s expected.”
That tiny shift (from auditor-focused to behavior-focused) changes everything about how you write, structure, and maintain your policies.
2. Stop Writing for the Auditor
If your first sentence includes “in accordance with applicable legal, regulatory, and contractual obligations,” congratulations: you just made everyone stop reading.
That’s not clarity, that’s camouflage.
Write like you’d explain it to a new teammate on their first day.
-
Use short sentences.
-
Use active verbs.
-
Say “you” or “we,” not “the user” or “the organization.”
Example:
❌ All employees are required to ensure the safeguarding of sensitive information in accordance with internal and external obligations.
✅ Protect sensitive data. Don’t share it outside the company without approval.
See? Still compliant. But now it sounds like a person talking to another person.
3. Know the Difference: Policy ≠ Procedure ≠ Process
This confusion ruins half of all documentation projects.
Here’s the breakdown:
|
Level |
Purpose |
Example |
|---|---|---|
|
Policy |
Defines the rule (the “what”) |
“All information must be classified before storage.” |
|
Procedure |
Explains how to apply it |
“Use the company’s 4-level classification model.” |
|
Process |
Describes the operational flow |
“System automatically tags files by classification level.” |
Stop stuffing procedures into policies.
Policies tell you what to do, not how to click the button.
4. Assign Ownership or Watch It Die
Every policy needs a name next to it, someone accountable for keeping it alive.
Otherwise, it will slowly decompose in a shared drive until the next ISO audit digs it up.
Minimum viable governance:
-
Policy Owner – keeps content up to date.
-
Approver – validates and signs off.
-
Review Frequency – usually annual, or whenever something changes.
If a policy doesn’t name an owner, it’s a zombie. It exists, but it’s not alive.
5. Keep It Short (Really Short)
If your Information Security Policy is 12 pages long, it’s not a policy, it’s an essay.
Aim for one page per topic.
And for the love of clarity: no passive voice, no filler, no legalese.
Quick rewrite example:
❌ “The organization reserves the right to monitor employee internet usage as deemed appropriate.”
✅ “We monitor network activity to keep systems safe. Don’t use corporate internet for personal stuff.”
One line. Clear, transparent, defensible.
6. Give It a Home (and Visibility)
Policies die in PDFs.
Bring them to life:
-
Put them on the intranet.
-
Link them from your onboarding.
-
Turn key rules into infographics or Teams posts.
-
Run a short quiz once a year.
It’s not about awareness campaigns, it’s about repetition and visibility.
People can’t follow what they never see.
7. Use the 6-Element Policy Framework
Here’s the structure we use in training and real-life projects.
Every good policy should include:
-
Purpose – Why it exists.
-
Scope – Who and what it applies to.
-
Principles / Rules – What must be done.
-
Responsibilities – Who does what.
-
Exceptions / Enforcement – How to handle deviations.
-
References – Linked procedures, standards, or guidelines.
That’s it.
No preambles, no jargon. Just a clean, auditable, readable document.
👉 If your policy template doesn’t include those six, start over.
8. Make It Human
If you want people to follow policies, they need to recognize themselves in them.
Use their language.
Show empathy.
And remember: “tone of voice” is also governance.
You can be serious without being robotic.
You can be compliant without being boring.
Because ultimately, compliance is not about documents, it’s about people doing the right thing when no one’s looking.
9. Policy Writing Cheatsheet
|
✅ Do |
❌ Don’t |
|---|---|
|
Write for humans |
Write for auditors |
|
Keep it under 1 page |
Copy-paste ISO text |
|
Use verbs, not nouns |
Hide behind “appropriate measures” |
|
Assign ownership |
Leave it to “the organization” |
|
Review every year |
Let it rot until the next audit |
10. Culture Beats Compliance
You can have the best policy in the world, if leaders ignore it, so will everyone else.
Policies don’t enforce culture; they reflect it.
So before you publish your next policy, ask yourself one question:
“Would I personally follow this?”
If the answer is “not really,” rewrite it.
If your policy needs a police officer to work, it’s not a policy, it’s a threat.
👇 Wrap-up
Writing policies people actually follow isn’t about creativity, it’s about clarity, ownership, and respect for the reader.
The good news? You can learn the structure, tone, and format that works.
That’s exactly what we teach in:
And yes, we include a Policy Template Pack we use in real consulting projects.
